This Metasploit module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices running FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being auto_prepend_file which causes the provided file to be added using the require function. The second PHP function is allow_url_include which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option JAIL_BREAK, that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated to the J-Web application this method will not work. The module then authenticates with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.
23552b23e1cc0e2022181944f8894c8f7203e6893e7d1127561c3ffd867b9517BDS Freebsd KLD rootkit for FreeBSD 13 that hides files, hides processes, hides ports, and has a bind shell backdoor.
9f6dc7f9bcc4c0f52a39a3c80657272125ec54dc594b44cc36889b2ff724d07cOutline version 1.6.0 suffers from an unquoted service path vulnerability.
c7fdf86fb00365bd53d570e0ff758cfd8ba014d2dce9b75b8d6db96e15e882eeHuman Resource Management System version 1.0 suffers from an unauthenticated remote SQL injection vulnerability.
4f80b588a513bbcbb3b08d9782eb8b87aa9be2291590ff110ec8d9d5b3b889e5FreeBSD versions 11.0 through 13.0 suffers from a local privilege escalation vulnerability via an aio_aqueue kernel refcount bug. This research post goes into great depth on how the researcher traversed the logic flow and achieved exploitability.
326b5e8f7907c92be98ab7e3ac35bb7766ebdf09bf20a0f1659fef3debf9aa56This Metasploit module exploits a race and use-after-free vulnerability in the FreeBSD kernel IPv6 socket handling. A missing synchronization lock in the IPV6_2292PKTOPTIONS option handling in setsockopt permits racing ip6_setpktopt access to a freed ip6_pktopts struct. This exploit overwrites the ip6po_pktinfo pointer of a ip6_pktopts struct in freed memory to achieve arbitrary kernel read/write.
00b0e1e6a5651af403765318e00556b0c8953f9ef2bbda38acb929b269045b6aSony PS4 versions prior to 7.02 and FreeBSD versions 9 and 12 ip6_setpktopt kernel local privilege escalation proof of concept exploit.
aa0c602e1d16bd1c07fd735367383c0e4038bf3d25ff79c8ec71ab25d9f2b9f2FreeBSD Security Advisory - The kernel can create a core dump file when a process crashes that contains process state, for debugging. Due to incorrect initialization of a stack data structure, up to 20 bytes of kernel data stored previously stored on the stack will be exposed to a crashing user process. Sensitive kernel data may be disclosed.
178d5992a84290ac4a8dc6947197a0096dd8c410a6b2c14c552637e40cf2ff97FreeBSD Security Advisory - A missing check means that an attacker can reinject an old packet and it will be accepted and processed by the IPsec endpoint. The impact depends on the higher-level protocols in use over IPsec. For example, an attacker who can capture and inject packets could cause an action that was intentionally performed once to be repeated.
e5c1b2cd25568643f6713e1fd53907b388b7c12585108e84595b0c0c2ac91c36FreeBSD Security Advisory - A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch(3) buffers. An attacker in control of the URL to be fetched (possibly via HTTP redirect) may cause a heap buffer overflow, resulting in program misbehavior or malicious code execution.
58eb688b18a5f5586d60c4a6d426da578c845550c391c45bbf4d3e093091639eLocal root exploit for the FreeBSD fd vulnerability as disclosed in FreeBSD-SA-19:02.fd.
05adfc97defa9b66032601dddbc7174d89d7c42893b3449bce122d3043b86df0Local root exploit for the FreeBSD mqueuefs vulnerability as disclosed in FreeBSD-SA-19:15.mqueuefs.
90adbf6571ee419b5720c2c77c09ae73c0b991d5356d6bf9cdef1949b5a67b6dFreeBSD Security Advisory - Intel discovered a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system. Malicious guest operating systems may be able to crash the host.
136279366752dfb4e0c2529e71b4b97464d958bd1c62cdd82d59cff6ffd2444cFreeBSD Security Advisory - From time to time Intel releases new CPU microcode to address functional issues and security vulnerabilities. Such a release is also known as a Micro Code Update (MCU), and is a component of a broader Intel Platform Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port and package.
23eef89d8eeb80cd7f3d30fda491fafe5e3fa0290ff6e657bb63731a35babb3cFreeBSD Security Advisory - The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic.
7c9c21bed5459872dd4210ae02562ae099d6c61dff5b90156a9765cf1beeb7c5FreeBSD Security Advisory - System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. A local user can use this flaw to obtain access to files, directories, sockets, etc., opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.
b8976c51a157ffad5c715c1c5e8e3c4be69500c550b1d9f9a9862cd2b065c512FreeBSD Security Advisory - The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic.
f3a37b5b4a8b054c0d5f798740e9983852e75de9e88318c41e4bfc0a3b6709bcFreeBSD Security Advisory - Due do a missing check in the code of m_pulldown(9) data returned may not be contiguous as requested by the caller. Extra checks in the IPv6 code catch the error condition and trigger a kernel panic leading to a remote DoS (denial-of-service) attack with certain Ethernet interfaces. At this point it is unknown if any other than the IPv6 code paths can trigger a similar condition.
1f311d34b4e8c453ffa41707ecfe3219803c47358a8d270ea06614aad0a80509FreeBSD Security Advisory - The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets. When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage. A misbehaving bhyve guest could overwrite memory in the bhyve process on the host.
5e5c704f8d1d9d95ef61652110af66385c6af7587e83674bd336e945b3308d47FreeBSD Security Advisory - A function extracting the length from type-length-value encoding is not properly validating the submitted length. A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in a denial of service.
f03bcb9feddf2d950ed61f77228c3a12e63a2a09995ac33ae2fea33ab21e623bFreeBSD Security Advisory - The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic.
86cd4d5aa66f71d8010f300a18e1ff2919650d4f774ebb9f118b77a491c22e1bFreeBSD Security Advisory - The decompressor used in bzip2 contains a bug which can lead to an out-of-bounds write when processing a specially crafted bzip2(1) file. bzip2recover contains a heap use-after-free bug which can be triggered when processing a specially crafted bzip2(1) file. An attacker who can cause maliciously crafted input to be processed may trigger either of these bugs. The bzip2recover bug may cause a crash, permitting a denial-of-service. The bzip2 decompressor bug could potentially be exploited to execute arbitrary code. Note that some utilities, including the tar(1) archiver and the bspatch(1) binary patching utility (used in portsnap(8) and freebsd-update(8)) decompress bzip2(1)-compressed data internally; system administrators should assume that their systems will at some point decompress bzip2(1)-compressed data even if they never explicitly invoke the bunzip2(1) utility.
c0796921394dbd2b07e095dfc85718db5fd86cd3cd5df94e1e8e5e3f050f2c2cFreeBSD Security Advisory - If a process attempts to transmit rights over a UNIX-domain socket and an error causes the attempt to fail, references acquired on the rights are not released and are leaked. This bug can be used to cause the reference counter to wrap around and free the corresponding file structure. A local user can exploit the bug to gain root privileges or escape from a jail.
ed0e020ba12b1dc01aa8d83590ac696a40d1fccad60067e1fb8300dfbb889466FreeBSD Security Advisory - The pci_xhci_device_doorbell() function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read. A misbehaving bhyve guest could crash the system or access memory that it should not be able to.
22ddae49f77be04a48b0ef2c715801539b562f34653337c23b52f4f5dfa1668bFreeBSD Security Advisory - System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. A local user can use this flaw to obtain access to files, directories, sockets etc. opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.
489c8ae54e5e9d5645a9286ff4c958fe29ebf8eb10cfad1509a4f8ce2b45cf9e
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed